CVE-2025-5062

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-5062

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5062.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-5062

Published

2025-05-22T04:16:22.913Z

Modified

2026-04-10T05:29:16.059078Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

References

Affected packages

Git / github.com/woocommerce/woocommerce

Affected ranges

Type

GIT

Repo

https://github.com/woocommerce/woocommerce

Events

Introduced

Fixed

b9f31d8050f5d84704b949625d180eaf8d00d87c

Introduced

b0284be31e6348a062ad66c5e0f966fa129a54a6

Fixed

a1ea4258250b0b434508fbfb027be5ac65718eb1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.3.4"
        },
        {
            "introduced": "9.4.0"
        },
        {
            "fixed": "9.4.3"
        }
    ]
}

Affected versions

1.*

1.0

1.0.1

1.0.2

1.0.3

1.1

1.1.1

1.1.2

1.1.3

1.2

1.2.1

1.2.2

1.2.3

1.2.4

1.3

1.3.1

1.3.2

1.4

1.4.1

1.4.2

1.4.3

1.4.4

1.5

1.5.1

1.5.2

1.5.2.1

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.7.1

1.5.8

1.6-beta-1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.5.1

2.*

2.0-beta-0

2.0.0

2.0.0-RC1

2.0.0-RC2

2.0.0-RC3

2.0.0-beta1

2.0.0-beta2

2.0.0-beta3

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.1.0-RC1

2.1.0-RC2

2.1.0-beta-1

2.1.0-beta-2

2.1.0-beta-3

2.2-beta-1

2.2-beta-2

2.2-beta-3

2.2.0-RC1

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.3.0-RC1

2.3.0-beta-1

2.3.0-beta-2

2.3.0-beta-3

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.4.0

2.4.0-RC1

2.4.0-beta-1

2.4.0-beta-2

2.4.0-beta-3

2.4.0-beta-4

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.5.0

2.5.0-RC1

2.5.0-RC2

2.5.0-RC3

2.5.0-beta-1

2.5.0-beta-3

2.6.0

2.6.0-RC1

2.6.0-RC2

2.6.0-beta-1

2.6.0-beta-2

2.6.0-beta-3

2.6.0-beta-4

2.6.1

2.6.2

2.6.3

2.7.0-RC1

2.7.0-beta-1

2.7.0-beta-2

2.7.0-beta-3

2.7.0-beta-4

3.*

3.0.0

3.0.0-rc.1

3.0.0-rc.2

3.1.0-beta-1

3.1.0-beta.1

3.1.0-beta.2

3.1.0-rc.1

3.2.0-beta.1

3.2.0-beta.2

3.2.0-rc.1

3.3.0-beta.1

3.3.0-beta.2

3.3.0-rc.1

3.4.0-beta.1

3.4.0-beta.2

3.4.0-rc.1

3.4.0-rc.2

3.5.0-beta.1

3.6.0-beta.1

3.6.0-rc.1

3.7.0-beta.1

3.7.0-rc.1

9.*

9.3.0

9.3.0-beta.1

9.3.0-rc.1

9.3.1

9.3.2

9.4.0

9.4.1

9.4.2

v1.*

v1.0

v1.0.1

v1.0.2

v1.0.3

v1.1

v1.1.1

v1.1.2

v1.1.3

v1.2

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.3

v1.3.1

v1.3.2

v1.4

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.5

v1.5.1

v1.5.2

v1.5.2.1

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.7.1

v1.5.8

v1.6-beta-1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.5.1

v2.*

v2.0-beta-0

v2.0.0

v2.0.0-RC1

v2.0.0-RC2

v2.0.0-RC3

v2.0.0-beta1

v2.0.0-beta2

v2.0.0-beta3

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.0-RC1

v2.1.0-RC2

v2.1.0-beta-1

v2.1.0-beta-2

v2.1.0-beta-3

v2.2-beta-1

v2.2-beta-2

v2.2-beta-3

v2.2.0-RC1

v2.2.1

v2.2.2

v2.2.3

wc-beta-tester-2.*

wc-beta-tester-2.2.0

wc-beta-tester-2.2.0.b

wc-beta-tester-2.2.1

wc-beta-tester-2.2.2

wc-beta-tester-2.2.3

wc-beta-tester-2.2.4

wc-beta-tester-2.2.5

wc-beta-tester-2.3.0

wc-beta-tester-2.3.1

wc-beta-tester-2.3.2

wc-beta-tester-2.4.0

woo-ai-0.*

woo-ai-0.1.0

woo-ai-0.2.0

woo-ai-0.4.0

woo-ai-0.5.0

woo-ai-0.6.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5062.json"